117 lines
2.8 KiB
Go
117 lines
2.8 KiB
Go
package main
|
|
|
|
import (
|
|
"bytes"
|
|
"crypto/x509"
|
|
"encoding/base64"
|
|
"encoding/json"
|
|
"encoding/pem"
|
|
"fmt"
|
|
"log"
|
|
"net/http"
|
|
"strings"
|
|
)
|
|
|
|
type CTLogRootsResponse struct {
|
|
Certificates []string `json:"certificates"`
|
|
}
|
|
|
|
func generateRoots(args []string) {
|
|
sourceURL := "https://rennet2027h2.log.ct.ipng.ch/"
|
|
outputFile := "roots.pem"
|
|
|
|
// Parse command line arguments
|
|
for i := 0; i < len(args); i++ {
|
|
switch args[i] {
|
|
case "--source":
|
|
if i+1 >= len(args) {
|
|
log.Fatal("--source flag requires a URL argument")
|
|
}
|
|
sourceURL = args[i+1]
|
|
i++ // Skip the next argument since we used it
|
|
case "--output":
|
|
if i+1 >= len(args) {
|
|
log.Fatal("--output flag requires a filename argument")
|
|
}
|
|
outputFile = args[i+1]
|
|
i++ // Skip the next argument since we used it
|
|
default:
|
|
log.Fatalf("Unknown argument: %s", args[i])
|
|
}
|
|
}
|
|
|
|
// Ensure source URL ends with /
|
|
if !strings.HasSuffix(sourceURL, "/") {
|
|
sourceURL += "/"
|
|
}
|
|
|
|
// Construct the get-roots URL
|
|
getRootsURL := sourceURL + "ct/v1/get-roots"
|
|
|
|
// Fetch roots from CT log
|
|
fmt.Printf("Fetching roots from: %s\n", getRootsURL)
|
|
resp, err := http.Get(getRootsURL)
|
|
if err != nil {
|
|
log.Fatalf("Failed to fetch roots: %v", err)
|
|
}
|
|
defer resp.Body.Close()
|
|
|
|
if resp.StatusCode != http.StatusOK {
|
|
log.Fatalf("HTTP request failed with status: %d", resp.StatusCode)
|
|
}
|
|
|
|
// Parse JSON response
|
|
var rootsResp CTLogRootsResponse
|
|
err = json.NewDecoder(resp.Body).Decode(&rootsResp)
|
|
if err != nil {
|
|
log.Fatalf("Failed to parse JSON response: %v", err)
|
|
}
|
|
|
|
// Collect all valid certificates in a buffer
|
|
var pemBuffer bytes.Buffer
|
|
validCertCount := 0
|
|
|
|
for _, certBase64 := range rootsResp.Certificates {
|
|
// Decode base64 certificate
|
|
certBytes, err := base64.StdEncoding.DecodeString(certBase64)
|
|
if err != nil {
|
|
log.Fatalf("Failed to decode certificate: %v", err)
|
|
}
|
|
|
|
// Parse X.509 certificate to check serial number
|
|
cert, err := x509.ParseCertificate(certBytes)
|
|
if err != nil {
|
|
log.Printf("Warning: Failed to parse certificate, skipping: %v", err)
|
|
continue
|
|
}
|
|
|
|
// Check for negative serial number
|
|
if cert.SerialNumber.Sign() < 0 {
|
|
log.Printf("Warning: Certificate with negative serial number found, skipping (serial: %s)", cert.SerialNumber.String())
|
|
continue
|
|
}
|
|
|
|
// Create PEM block
|
|
pemBlock := &pem.Block{
|
|
Type: "CERTIFICATE",
|
|
Bytes: certBytes,
|
|
}
|
|
|
|
// Write PEM to buffer
|
|
err = pem.Encode(&pemBuffer, pemBlock)
|
|
if err != nil {
|
|
log.Fatalf("Failed to encode PEM certificate: %v", err)
|
|
}
|
|
|
|
validCertCount++
|
|
}
|
|
|
|
// Write all certificates to file with status
|
|
err = writeFileWithStatus(outputFile, pemBuffer.Bytes())
|
|
if err != nil {
|
|
log.Fatalf("Failed to write output file %s: %v", outputFile, err)
|
|
}
|
|
|
|
fmt.Printf("Successfully wrote %d certificates to %s (out of %d total)\n", validCertCount, outputFile, len(rootsResp.Certificates))
|
|
}
|